As the world becomes more digitized and interconnected, individuals, businesses, governments, and others face increasing threats from cyberattacks. In recent years, both the cost and the severity from cyberattacks continues to grow at an alarming rate. For example, some reports suggest that the global cost of cybercrime grew from $445 billion in 2014 to as much as $600 billion in 2017. Reports also suggest that cyberattacks are becoming progressively destructive and are targeting a broadening array of information.
Furthermore, in the United States and other nations, certain entities (especially those that create, receive, maintain and transmit protected health information) are required by law to conduct security risk analyses. For example, the U.S. Department of Health and Human Services has promulgated regulations that require covered entities and business associates to implement policies and procedures to prevent, detect, contain, and correct security violations of protected health information. These federal regulations require certain entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information . . . ,” to implement security measures sufficient to reduce risk and vulnerabilities to a reasonable level, to apply and enforce sanction policies, and to implement regular information system reviews. See e.g. 45 § CFR 164.308(a)(1).
In addition to health care providers, many other entities have a need for conducting risk analyses and implementing risk management solutions to enable them to reduce the likelihood of a breach. As a non-limiting example, medical device manufactures are required to comply with the Privacy, Breach Notification, and Security Rules found in the Health Insurance Portability and Accountability Act (“HIPAA”). In the mergers and acquisition context, business entities often desire a thorough risk analysis to determine excessive risk posed by cyberattacks before making a large investment and/or following a merger/acquisition. Due to the sensitive nature of information in their possession, law firms also require risk analyses of their cybersecurity measures. It will be appreciated that any number of entities and/or individuals desire risk analysis and risk management to increase cybersecurity protections.
Accordingly, there is an increasing need, particularly for those that store sensitive information on electronic devices, to understand where cybersecurity exposures are located, to determine which of these exposures face the greatest risk, and where to focus one's cybersecurity resources. Herein, the term “user” describes an individual, entity, or organization that desires to conduct a risk analysis of an information system. Herein, the terms “information systems” and “assets” are used interchangeably to describe a user's resources that create, receive, store, and transmit electronic information.
It is known that risk analysis methods, systems, and software applications implementing computer-readable media can be utilized to analyze the threats and vulnerabilities posed to an organization's assets. However, conventional risk analysis methods, systems, and software applications are not sufficiently robust and do not provide the user with the specific properties of an asset that present risk. Further, the conventional risk analysis methods do not break down an organization's assets into its constituent parts. Instead, in the typical risk analysis method or system, it is entirely up to the user to determine the specific attributes of their organization's asset that present risk. This presents a particular challenge when trying to identify cyberattack vulnerabilities. For example, if a conventional risk analysis method identifies an asset with a weak password, it is difficult to know if the specific weak password risk is posed by the application, the network, or the device. As a result, this deficiency makes it difficult to implement appropriate risk controls.
Conventional risk analysis methods, systems, and software applications implementing computer-readable media present a number of other disadvantages, such as the inability to group components together based on common risks that they face and the common security controls that protect the components. For example, if a user desires to analyze the risk vulnerabilities of a system which comprises five hundred different servers and two hundred of these servers have the exact same risk profile (e.g. these 200 servers had the same operating system and same security controls), the conventional risk analysis method requires the user to separately analyze the risk of all 500 servers even though 200 servers face identical threats. This shortcoming makes the conventional risk analysis method more time consuming and inefficient.
Conventional risk analysis methods, systems, and software applications are also unable to associate multiple components of the same type (e.g. server, desktop, etc.) with a single asset (e.g. a billing system, electronic medical records, etc.). Instead, this can only be accomplished in the conventional risk analysis method or system by creating another asset, often referred to as a “pseudo-asset,” that is given a particular name to identify its association with another asset. For example, if two Storage Area Network (SAN) devices support a single system wherein one serves as Production Data storage and the other acts as a backup to the Production SAN, the typical risk analysis method requires the user to set up a “pseudo-asset” for the backup SAN (such as “Asset XYZ Backup”) in order to analyze the risks posed to these two components.
Accordingly, there is a significant need for a risk analysis method that facilitates the breakdown of an asset into various components to allow risks to that asset to be analyzed at an appropriately granular level. Likewise, there is a need to group similar components from different assets together for risk analysis based on the common risks that they face. Such an improvement would permit the risk analysis process to be much more efficient and less time-consuming than the conventional method which requires each component to be analyzed individually. There is also a need for a risk analysis method that allows multiple components of the same type but with slightly different properties or cybersecurity control settings (i.e. servers operating with a Windows™ operating system versus servers operating with a Linux™ operating system), to be associated with the same asset and to be risk analyzed separately from other components because they face different risks. Along with other features and advantages outlined herein, risk analysis methods within the scope of present embodiments meet these and other needs by providing a technical solution to the technical problem posed by the conventional risk analysis methods and systems. In doing so, the risk analysis methods within the scope of present embodiments provide more robust risk analyses, provide faster and more efficient risk analyses, and provide a more user-friendly definition of the risk profile for assets.